Creating Directory Service Objects

Listing 5.1 showed how to create 1,000 user accounts. To simplify matters, the following section takes a more modest approach by creating one OU, one user account, and one group.

Creating Active Directory objects involves four basic steps:

Connect to the Active Directory container that will store the new object.

Create the object.

Set the object's mandatory attributes, if necessary.

Commit the new object to Active Directory.

The goal of the three scripts in this section is to create an OU named HR (Human Resources department), a user account named MyerKen in the HR OU, and a group named Atl-Users, also in the HR OU.

Creating an OU

The script in Listing 5.2 creates an OU named HR in the na.fabrikam.com domain. All mandatory attributes of an OU are automatically assigned a value by Active Directory. Therefore, the step that sets mandatory attributes does not appear in Listing 5.2.

Creating a User Account

The script in Listing 5.3 creates a user account named MyerKen in the OU named HR. The HR OU is located in the na.fabrkam.com domain. To carry out this task, the script performs the following steps:

Connect to the HR OU container in the na.fabrikam.com domain.

HR is the OU that was created by running the script appearing in Listing 5.2.

Create a user account named MyerKen.

Using an uppercase letter for the first letter of the last and first name is not necessary. However, the case is preserved when the object is saved to Active Directory. Therefore, users will be able to distinguish the last name from the first name when searching Active Directory.

Set the sAMAccountName mandatory attribute to the value myerken.

There is no need to capitalize the first letter of the last and first name for this attribute's value because, typically, users do not perform user account searches on the sAMAccountName attribute.

They perform the same basic steps: They connect to an Active Directory container, create an object, set the object's mandatory attributes (if necessary), and commit the object to Active Directory.

They use the same method (Create) without regard to the class of the object being created.

The script parameters are the only parts of the scripts that are different. Each script contains the class name (organizationalUnit, user, and group) identifying the type of object to create and the object's corresponding attributes (the new object's name and the user's and group's mandatory sAMAccountName attribute).

The steps for creating an OU (Listing 5.2), a user account (Listing 5.3), and a group (Listing 5.4) are strikingly similar, as the three preceding code listings demonstrate. This similarity extends to creating all types of directory objects. This consistency will become even clearer by examining each code line in each listing.

To create an object, the script first connects to a container, a process called binding. Binding occurs on the first line of each listing. In Listing 5.2, the script binds to the domain to create an OU. When creating an object in a domain, think of the domain as simply a container that can hold objects, just as an OU is a container that can hold objects. In Listing 5.3 and Listing 5.4, both scripts bind to an OU to create objects within it. The code in Listing 5.3 creates a user account object, and the code in Listing 5.4 creates a group object.

After binding to a container, the script performs the task of creating an object. To create an object, you must specify two parameters, the object's class and name. In Listing 5.2, the script creates an OU by specifying the organizationalUnit class and the name, ou=HR. In Listing 5.3, the script creates a user account by specifying the user class and the name, cn=MyerKen. In Listing 5.4, the script creates a group by specifying the group class and the name, cn=Atl-Users. You will see these parameter pairs on line 3 of each listing. For information about how to determine an object's class and name, see "ADSI Interfaces" later in this chapter.

Before committing an object to the directory, you must first set any mandatory attributes defined for an object. There are no mandatory attributes that the script needs to set for creating an OU. Therefore, this step does not occur in Listing 5.2. However, line 4 in both Listing 5.3 and Listing 5.4 sets a mandatory attribute (sAMAccountName) for a user account and a group object. The script assigns the mandatory attribute to the object by specifying the mandatory attribute's name and its value. In Listing 5.3, the value is myerken; and in Listing 5.4, the value is Atl-Users. For information about how to determine the mandatory attributes of an object, see "Active Directory Architecture" later in this chapter.

The last step in creating an object is committing (saving) the object to the directory. This final step is the last script line in each listing. Modify, read, and delete tasks also exhibit similar uniformity, as the next sections demonstrate.